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(57) Abstract 

A value transfer system of at least one VCD (-Value Carrying Device) (1) and at least one VAD (-Value Accepting Device) (2). 
the VAD (2) having a memory (53) for storing at least an aggregate value (28) of previous accepted values and means for transferring a 
claiming message (13), the VCD (1) having a memory (52) for storing at least a balance value (7) and means for transferring a proving 
message (14), wherein the VAD (2) includes into the claiming message (13) a transaction value (20), a previous aggregate value (21) and 
a corresponding previously computed proving cryptogram (22). the VCD (I) computes and includes into the electronic message (14) a 
transaction proving cryptogram (35), computed on the basis of the previous aggregate value (21), the corresponding previously computed 
proving cryptogram (22) and the transaction value (20). and the VCD (1) computes the at least one transaction proving cryptogram (35) 
only if it has established the correctness of the received previous aggregate value (21) by using said corresponding previously computed 
cryptogram (22) and after it has reduced the balance value (7) with the transaction value (20). 
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1 

System with and method of cryptographically protecting communica- 
tions 



The state of the art in electronic purses is adequately 
5 described in part II of the (draft) European Standard EN 1546. The 
description as contained in that document is summarised here and 
schematically given in Figure 1; the draft standard contains a more 
detailed description and explicitly indicates the potential multi- 
plicity of parties involved in the protocols, which aspects have 
10 been omitted here for clarity • See also European patent 0,421,808- 
Bl. 

Referring to Figure 1, an electronic purse operates in that 
in return for payment from a holder of a Value Carrying Device 1. A 
Value Guaranteeing Institution 4 is responsible for securely load- 

15 ing Balance 7 held in Value Carrying Device memory 52 of the Value 
Carrying Device 1 with a value using a value initialising protocol 
12. The Value Carrying Device 1 is provided with a Value Carrying 
Device processor 50 connected to memory 52. 

For the purpose of a payment the Value Carrying Device 1 

20 which has a current value indicated as balance 7 engages with a 
Value Accepting Device 2 using a value transfer protocol 9- The 
Value Carrying Device 1 may be a tamper resistant device such as a 
smart card or may contain such a device that at least protects the 
integrity of the balance 7; the tamper resistant feature of the 

25 balance 7 is indicated in Figure 1 by the double lines surrounding 
the balance 7. The basis of the value transfer protocol consists of 
a first "claiming" message 13 from the Value Accepting Device 2 to 
the Value Carrying Device l t fundamentally containing the amount to 
be transferred and optionally additional data which may possibly in 

30 part serve as a cryptographic challenge and a "proving* message 14 
containing proof of debit of the balance 1. The cryptographic proof 
contained in the message 14 serves to authenticate the value trans- 
ferred in the message and indirectly the correctness of processing 
inside the Value Carrying Device 1 and ultimately establishes a 

35 guarantee for refunding the transferred value by the Value Guaran- 
teeing Institution 4. The Value Accepting Device 2 is provided with 
a» Value Accepting Device processor 51 connected to a Value Accept- 
ing Device memory 6. The Value Accepting Device processor 51 is f 
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preferably, also tamper resistant. 

The acceptance of the message depends on the verification by 
the Value Accepting Device 2 of the cryptographic proof contained 
in the message 14 upon which the Value Accepting Device 2 increases 
the value 8 held in its own secure storage 6, Alternative tech- 
niques may be used with equal result of accruing value in the Value 
Accepting Device 2. for instance one which allows value to be col- 
lected by storing every transaction individually in either secure 
or non secure storage in the Value Accepting Device. Such tech- 
niques may involve the exchange of more messages than those 
described in Figure 2 which may contain additional data, but the 
net effect is the same: transfer of value. United States patents 
4,996,711 and 5.131.039 of Chaum describe such possible protocols, 
mainly differing in the cryptographic techniques applied. These and 
other specific protocols are used in commercially available elec- 
tronic purse smart card applications. 

Periodically, for the purpose of recovering the values 
accepted from the Value Guaranteeing Institution 4, an Acquirer 3 
is involved which may be an entity independent from the Value Guar- 
anteeing Institution 4 or indentical to it. The Acquirer 3 uses an 
acquiring protocol 10 to transfer information about the values 
accepted by the Value Accepting Device 2 during that period for 
storage and processing and as a result makes a payment 15 to the 
operator of the Value Accepting Device 2. The British patent 
application 9505397.1 (Transmo) describes a particular realisation 
of an acquiring protocol. 

The Acquirer 3 may consolidate, by whatever means , value 
information from a multitude of Value Accepting Devices 2 and 
deduce the total value to be reclaimed from each Value Guaranteeing 
Institution 4 using a clearing and settlement protocol 11. As a 
result, a Value Guaranteeing Institution 4 makes a settlement 16 
with the Acquirer 3 for the payments 15 made for the value issued 
by that particular institution which had been accepted by the Value 
Accepting Devices 2 as acquired by said Acquirer 3, 

With electronic purse systems implemented according to the 
state of the art it is generally economically infeasible to store, 
communicate and electronically process individual transactions when 
they are in majority of small value, which is often the case. As a 
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remedy, a tamper resistant security device 6, commonly known as 
"SAM" (= Security Application Module) that is provided as an inte- 
gral component of every Value Accepting Device, is deployed into 
which individual payments are accumulated into a single value for 
5 subsequent processing by the Acquirer 3. Additionally the SAM is 
also used to hold security keys that when used in conjunction with 
a publicly known algorithm allow the Value Accepting Device 2 to 
verify in the value transfer protocol 9 the authenticity of the 
Value Carrying Device 1 and the value transferred; specifically to 

10 verify the correctness of the debit proof contained in message 1*4. 
The SAM 6 is thus an integral part of the security of the payment 
system and holds secret information common to the secret informa- 
tion held in each Value Carrying Device 1, it has to be secure 
against the revealing or alteration of its contents. If compromised 

15 by various forms of physical and or analytical attack, the SAM 6 
can be made to reveal the secrets upon which the entire security of 
payment schemes using such techniques rely. These tamper resistance 
requirements for the SAM 6 adds to the complexity and cost of Value 
Accepting Device's, to increased complexity of security management 

20 and increases the exposure to risks of misuse of the payment sys- 
tem. 

One could use public key cryptographic algorithms to protect 
the value transfer protocol in implementations of an electronic 
purse according to the state of the art which would obviate, ,in 

25 principle, the need for SAM 1 s 6 as part of the Value Accepting 
Device 2 to authenticate the Value Carrying Device 1 and the value 
transferred. This restricts the exposure to risks of misuse of the 
system. However, in general the amount of data required to be 
stored with each public key protected transaction is significantly 

30 large. The need to aggregate in the Value Carrying Device 1 is even 
greater than in alternative implementations. Again, where aggrega- 
tion is required the Value Carrying Device 1 must contain a secured 
component that can be trusted by the Value Guaranteeing Institution 
k or Acquirer 3 to perform the accumulation. The tamper resistance 

35 requirements for the Value Accepting Device 2 adds to the com- 
plexity and cost of the device and to increased complexity of 
security management in the system. 

In purse systems implemented according to the state of the 
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art the actual value transfer protocol 9 is complicated to ensure 
that failures in communications between Value Carrying Device 1 and 
Value Accepting Device 2 do not cause irrecoverable loss of value. 
Additional protocols may be implemented for recovery of value after 
5 interrupted communications. Fundamentally, with implementations 
according to the state of the art. the risk of irrecoverable loss 
of value can not be eliminated in full however complex the proto- 
col. The added complexity in protocols needed to reach a sufficient 
level of practical reliable operation increases the implementation 
10 costs, increases the transaction duration and may lead to more 
complicated device usage handling, e.g. for explicit recovery pro- 
tocols . 

The object of the current invention is, firstly, to obviate 
the need for secure devices in Value Accepting Devices, secondly, 

15 to guarantee no irrecoverable loss of value, thirdly, to simplify 
the value transfer protocol, and fourthly, to make it technically 
and economically feasible to apply a single type of protocol for a 
wide range of electronic payment applications, with varying 
requirements in speed of transaction, means of communication and 

20 range of values to transfer. A further purpose of the current in- 
vention is to bring a level of privacy protection to rechargeable 
purse systems in a manner which before has only been possible with 
public key cryptography without the need for the lengthy and com- 
plex public key cryptographic computations. 

25 The object of the present invention is obtained by a value 

transfer system comprising at least one Value Carrying Device and 
at least one Value Accepting Device being able to communicate with 
each other, the at least one Value Accepting Device comprising a 
Value Accepting Device memory for storing at least an aggregate 

30 value of previous accepted values and being arranged to transfer a 
claiming message representing at least a transaction value to said 
at least one Value Carrying Device, the at least one Value Carrying 
Device comprising a Value Carrying Device memory for storing at 
least a balance value and being arranged to transfer a proving 
35 message to said at least one Value Accepting Device, characterised 
in that 

the at least one Value Accepting Device is arranged to fur- 
ther include into the claiming message a previous aggregate value 
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and a corresponding previously computed proving cryptogram; 

the at least one Value Carrying Device is arranged to compute 
and include into the proving message at least one transaction prov- 
ing cryptogram, computed on the basis of the previous aggregate 
5 value, the corresponding previously computed proving cryptogram and 
the transaction value, and 

the at least one Value Carrying Device is arranged to compute 
the at least one transaction proving cryptogram only if it has 
established the correctness of the received previous aggregate 
10 value by using said corresponding previously computed cryptogram 
and after it has reduced the balance value with the transaction 
value. 

Risk exposure limitation can easily be obtained by having 
keys shared by small sets of Value Carrying Devices instead of 

15 global key sharing with the associated risk of full system collapse 
in the event of key compromise. A system using keys shared by small 
sets is claimed in claim 2. 

An other way of risk limitation may easily be obtained by 
reducing the maximum value of the resulting aggregate value, where 

20 the acquiring protocol resets the value. A system directed to such 
a risk limitation is claimed in claim 3- 

Still, an other way of risk limitation may be easily obtained 
by reducing the maximum value of each individual transfer. A system 
directed to such a way of risk limitation is claimed in claim 4. 

25 Still, a further way of risk limitation may be easily 

obtained by reducing the maximum number of transfers, that may be 
accepted by a device, where the acquiring protocol resets the 
count. A system directed to such a way of risk limitation is 
claimed in claim 5* 

30 The present invention is also directed to a Value Carrying 

Device as part of the system defined above, which is arranged to 
communicate with at least one Value Accepting Device, said Value 
Carrying Device comprising a Value Carrying Device memory for stor- 
ing at least a balance value and being arranged to receive a claim- 

35 ing message representing at least a transaction value and to trans- 
fer a proving message to said at least one Value Accepting Device, 
characterised in that the Value Carrying Device is arranged to 

receive through the claiming message a previous aggregate 
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value and a corresponding previously computed proving cryptogram; 

compute and include into the proving message at least one 
transaction proving cryptogram, computed on the basis of the previ- 
ous aggregate value, the corresponding previously computed proving 
cryptogram and the transaction value, and 

compute the at least one transaction proving cryptogram only 
if it has established the correctness of the received previous 
aggregate value by using said corresponding previously computed 
cryptogram and after it has reduced the balance value with the 
transaction value. 

Moreover, the present invention is directed to a Value 
Accepting Device as part of the system defined above, which is 
arranged to communicate with at least one Value Carrying Device, 
said Value Accepting Device comprising a Value Accepting Device 
memory for storing at least an aggregate value of previous accepted 
values and being arranged to transfer a claiming message represent- 
ing at least a transaction value to said at least one Value Carry- 
ing Device and to receive a proving message from said at least one 
Value Carrying Device, characterised in that 

said Value Accepting Device is arranged to further include 
into the claiming message a previous aggregate value and a corre- 
sponding previously computed proving cryptogram in order to allow 
the at least one Value Carrying Device to compute and include into 
the proving message at least one transaction proving cryptogram, 
computed on the basis of the previous aggregate value, the corre- 
sponding previously computed proving cryptogram and the transaction 
value, and to allow the at least one Value Carrying Device to com- 
pute the at least one transaction proving cryptogram only if it has 
established the correctness of the received previous aggregate 
value by using said corresponding previously computed cryptogram 
and after it has reduced the balance value with the transaction 
value. 

The present invention also relates to a method of 
cryptographically protecting a communication or a sequence of com- 
munications between a transmitter and a receiver, and of establish- 
ing a monotonic order in which messages are communicated or a 
strict monotonic change of numeric values contained in communicated 
messages characterised in that said communications include at least 
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one number representing said mono tonic order or representing said 
numeric values and cryptograms computed from the at least one num- 
ber in an encoding using a "Peano" number scheme as follows: 
choosing a discrete maximum value for the encoding; 
5 - selecting a cryptographic one-way function that maps starting 
numbers consisting of a predetermined number of bits to 
object numbers consisting of the same predetermined number of 
bits, a functional application to a number being defined as 
"successor operation" in the Peano number scheme; 

10 - selecting a random number consisting of said predetermined 
number of bits as zero element in the Peano number scheme; 
determining a value encoded in a number as the value of 
a Peano number determined by repeated functional applications 
of the one-way function starting with the zero element until 

15 a result of the functional application of the one-way 

function equals a code number to be decoded, wherein a code 
word is found not to be a valid encoding if none of the 
results of applying repetitively for a number of times equal 
to the chosen discrete maximum value the cryptographic one- 

20 way function starting with the selected zero element equals 

the code word; 

and in that the at least one transmitter is arranged to select said 
random number while keeping said random number confidential in 
order to warrant unconditional monotomicity of the message order or. 

25 of the numeric values communicated. 

Such a method effectively uses cryptographic encoding of 
monotonous series of data in one-way counters. Thus, secret keys 
used for encoding are based on a one-way scheme and can never be 
revealed by using reverse engineering techniques on data alone. 

30 Therefore, data can very securely be transmitted between a Value 
Carrying Device and a Value Accepting Device. 

One possible value transfer system based on the method 
defined above and using one-way counters based on cryptograms 
stored in the Value Accepting Device memory, is claimed in claim 

35 H- This embodiment improves over the method of plain cryptographic 
prooving cryptogram computation in that it allows use of simpler 
and cheaper shared key cryptography to prove a transfer where the 
value accepting device need not have available the secret to verify 
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the proof. In addition, it provides a basis for efficient 
verifiable protection in the acquiring protocol. 

An other possible embodiment of the method defined above is 
claimed in claim 13- The system of claim 13 does not need any addi- 
5 tional cryptogram. It is more efficient than the embodiment men- 
tioned above in that it reduces the amount of data to be trans- 
ferred. Moreover, it is stronger as it does not have any confiden- 
tial data stored in the Value Accepting Device. Moreover, it more 
elegantly includes the length (the discrete maximum value) of the 
10 one-way counter and additional data in the proving cryptogram. 

An advantageous value transfer system, which is especially 
suited for payments in units, e.g., in telephone systems, toll road 
systems, public transport systems or in systems for consulting WWW 
pages, is claimed in claim 16. 
15 The system as claimed in claim 17 shows further risk limita- 

tion by including a maximum value per transaction in a one-way 
counter based value cryptogram. 

Claims 18 and 20 claim Value Accepting Devices for use in a 
value transfer system using one-way counter based value crypto- 
20 grams, as defined above. 

Claims 19 and 21 claim Value Carrying Devices for use in a 
value transfer system using one-way counter based value crypto- 
grams, as defined above. 

Value Accepting Devices may, advantageously, be implemented 
25 as a device with a memory only, for instance, a magnetic-strip card 
or memory-chip card. 

The Value Carrying Devices may be implemented as smart cards. 
However, alternatively, the Value Carrying Devices and the 
Value Accepting Devices may be implemented together in an elec- 
30 tronic device commonly known as a "wallet". 

In the value transfer system as claimed in claim 25 the 
random nature of the proofing cryptogram is used to generate secret 
keys to conceal any electronic data associated with the value 
transfer. 

35 i n the value transfer system of claim 26 the random nature of 

the encoded new aggregate value is used to generate secret keys to 
conceal any electronic data of the value transfer whenever "peano" 
number schemes are used. 
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In the value transfer system according to claim 27 the 
balance is represented by two distinct numbers stored in the Value 
Carrying Device memory. This claim shows that with a proper orga- 
nization in the Value Carrying Devices the value transfer protocol 
5 can be applied to the value initialization protocol causing the 
value initialization protocol to have the same benefit of 
guaranteed no loss of value. 

In claim 28 a value transfer system is claimed in which at 
least one Value Carrying Device is acting as a value accepting 
10 device, the balance of this value carrying device being represented 
by two distinct numbers as indicated above. Then, a value transfer 
protocol can be used to load the Value Carrying Device. 

The invention will be explained with reference to some draw- 
ings intended to illustrate and not to limit the scope of the in- 
15 vention. 

In the drawings, 

Figure 1 shows an electronic purse system in accordance with 
the state of the art; 

Figure 2 shows a value transfer protocol between a value 
20 carrying device and a value accepting device, in which stored sig- 
nature cryptography is used; 

Figure 3 shows an alternative value transfer protocol in 
which a special protective cryptographic aggregate encoding is 
used. 

25 A value transfer protocol conducted according to the current 

invention is shown in Figure 2, which demonstrates its use with a 
signature carrying cryptographic method to protect the transfer as 
of example only, other cryptographic protection techniques could be 
used without any fundamental modification. The Value Carrying 

30 Device 1 and the Value Accepting Device 2 may be a smart card and 
an electronic money accepting terminal, respectively. However, they 
may alternatively be an electronic money supplying terminal and a 
smart card, respectively. The Value Carrying Device 1 is shown to 
contain in addition to a registration of its value represented by 

35 the balance 7 a set of stored digital pre-signatures 17a, . 17d, 
which have been created by or under control of the Value Guaran- 
teeing Institution 1* in an initialisation protocol conducted at 
some earlier time for instance as part of the protocol 12 that 
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initialises the balance 7 of the Value Carrying Device 1. Further 
contained in the Value Carrying Device 1 is a Value Guaranteeing 
Institution Identification (VGI ID) number 18 to uniquely identify 
the Value Guaranteeing Institution A, c.q. its cryptographic public 
5 key, and possibly one or more additional cryptographic public keys 
to verify signatures as created by other Value Guaranteeing Insti- 
tutions. The Value Carrying Device 1 also may contain a log of a 
number of previous value transfer protocols 37a, 37b, 37c, ... each 
log entry containing at least challenge data 25 received or other 
10 such identifying data and a new aggregated value 3 1 * as signed in a 
transfer by the Value Carrying Device 1. 

The Value Accepting Device 2 contains a registration of the 
total value 28 aggregated over all the previous value transfer 
protocols it conducted and in which it has accepted value. In a 
15 practical realisation this total value could be aggregated over a 
specific period, e.g. since the last time an acquiring protocol was 
performed by the Value Accepting Device. Also contained in the 
Value Accepting Device is a cryptographic public key 33a with its 
associated identification number, abbreviated "VGI PK, ID" in 
20 Figure 2. pertaining to the Value Guaranteeing Institution A for 
which the Value Accepting Device 2 is configured to accept value 
transfer messages protected with a digital signature. Optional 
additional cryptographic public keys 33b, 33c ... may be present to 
allow acceptance of signatures from multiple different Value 
25 Guaranteeing Institutions or possibly, using well known key 
certification techniques, to allow acceptance of a range of 
signatures for which the public key is not stored in the Value 
Accepting Device but obtained from the Value Carrying Device in 
additional communications. The Value Accepting Device also contains 
30 the value transfer transaction data 26a which consists of a digital 
signature 27 which proves the correctness of its stored aggregated 
value 28 and any additional data 29 such as the challenge which was 
used to create the signature 27. A collection 26a, 26b, ... of one 
or more sets of transaction data may be maintained by the Value 
35 Accepting Device 2 for auditing and recovery purposes, or for use 
in conjunction each with a particular different key. 

In the value transfer protocol the message 13 originated by 
the Value Accepting Device 2 contains at least the amount of the 
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value to be transferred 20. the value 21 aggregated by the Value 
Accepting Device 2 as copied from the stored number 28, the digital 
signature 22 protecting the aggregate value 21 as copied from the 
stored number 28, any optional additional data 24 as copied from 
5 the stored data 29 that in addition to the aggregate value 21 is 
protected by the signature 22 and that is also needed to allow 
verification of the signature and some new cryptographic challenge 
data 25 which will enhance the protection of the current value 
transfer protocol and in addition may serve to make this instance 

10 of the performed protocol uniquely identifiable. Other data may be 
included in the message for purposes beyond the immediate value 
transfer protocol, which in part may additionally be protected by 
the computed signature. 

Before producing the proving message 14 the Value Carrying 

15 Device 1 performs a signature verification on the received aggre- 
gate value 21 using the digital signature 22 and the additional 
data 24. If the signature is found correct the Value Carrying 
Device 1 continues to decrease its balance by the amount 20 while 
adding that same amount to the aggregate value 21, resulting in the 

20 new aggregate value 3^* It then computes a digital signature to 
protect the newly computed aggregate value 3*\ together with the 
received challenge 25; the signature being computed as appropriate 
for this particular cryptographic method by using the data stored 
as the first most stored pre-signature 17a. The used stored pre- 

25 signature is deleted from the Value Carrying Device 1 making the 
next stored pre-signature 17b available for use in a subsequent 
value transfer protocol as is customary in stored signature 
cryptographic protocols. After these computations have been com- 
pleted the log 37 is updated and the proving message 14 is send to 

30 the Value Accepting Device 2, consisting of the new aggregate value 
3k as computed by the Value Carrying Device 1, the newly computed 
digital signature 35 1 and the VGI ID number 36 identifying the 
Value Guaranteeing Institution 4 and its public key. In an alterna- 
tive embodiment, the aggregate value 3^ Is not transmitted as it 

35 can be computed by the Value Accepting Device. Moreover, the ident- 
ifying number 36 may have been communicated in an earlier message. 

The Value Transfer Protocol, as shown in Figure 2, is com- 
pleted by the Value Accepting Device 2 in first verifying the 
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received new signature 35 to indeed proof the expected new aggre- 
gate value 34 using the appropriate public key 33a, 33b, 33c, ... as 
indicated by the received identifying number 36. If the signature 
is found correct the transaction data 26a is updated in that the 

5 stored value of the signature 27 is replaced by the received new 
signature 35. the stored aggregate value 28 is replaced by the 
received new aggregate value 3 1 * and the stored additional data 29 
is replaced by the challenge 25- As appropriate for the applica- 
tion, before changing these stored values they may have been saved, 

10 e.g. in data 26b. After these actions the Value Accepting Device is 
in its initial state and able to engage in a new value transfer 
protocol . 

If the proving message 1*1 is not received or is found to be 
incorrect it can be retrieved again from the Value Carrying Device 
15 upon request by identifying it with the challenge 25 as send in the 
claiming message 13. where the challenge value is used to locate 
the entry in the transaction log 37a. 37b, 37c. A duplicate proving 
message may then be created by digitally signing the data from the 
log entry and transmitting this data to the requesting Value 
20 Accepting Device. 

Loss of value in the value transfer protocol ♦ as shown in 
Figure 2. is prevented as the computation of the new aggregate 
value 34 and the new balance 7 takes place in a single device with- 
out any intervening communication and the resulting values are 
25 registered in the device memory before the they are communicated. 
For those skilled in the art it is possible to implement the compu- 
tation and registration as an atomic operation with an uncon- 
ditionally consistent and predictable result. As the proving mess- 
age 14, fundamentally, is a crypt ©graphically protected statement 
30 that the said computed and stored consistent result has been 
achieved by the Value Carrying Device it can be repeated without 
restriction, especially without implying additional transfer of 
value. 

A second embodiment according to the current invention is 
35 shown in Figure 3 where the value transfer protocol is provided 
with special protective cryptographic aggregate encoding. As shown 
in Figure 3, the claiming message 13 contains in addition to the 
amount 20 the current aggregate value 28 of the Value Accepting 
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Device 2, as a number 38 encoded according to the current inven- 
tion, which encoding serves as cryptographic protection on the cor- 
rectness of the aggregate value in a method similar to the signa- 
ture 22 in the previously described embodiment. Further data 
5 included in the claiming message 13 is an encoding seed 39. a num- 
ber *J0, referred to as "Terminal ID", identifying the Value Accept- 
ing Device and additional data 4 1 which by inclusion in the encod- 
ing will be cryptographically protected together with the aggregate 
value 3&- Except the amount 20, the data transmitted in the claim- 

10 ing message 13 is copied from the most recent transaction data 26a 
stored in the Value Accepting Device 2 as a result of a previous 
value transfer protocol 30. Multiple collections of transaction 
data 26b, 26c, ... may be present for auditing and recovery purposes 
and also pertaining to the one or more particular instances of the 

15 cryptographic encoding, c.q. pertaining to a particular 
cryptographic key. The proving message minimally contains an 
encoding of the resulting new aggregate value 43 of the Value 
Accepting Device 2 which encoding has been computed by the tamper 
resistant Value Carrying Device 1 using secret data kept in its 

20 memory. 

It is an attribute of the encoding according to the embodi- 
ment of Figure 3 that its validity can be checked by performing a 
publicly known algorithm without knowledge of the secret on which 
the encoding is based. This public verification is possible when- 

25 ever its computation is based on an encoding of a value which is 
less than the value for which the encoding is to be verified. On 
the other hand, computing an encoding of any value in excess of the 
largest value known to be encoded in a particular instance of the 
encoding requires the knowledge of the secret key pertaining to 

30 that instance: the encoding exhibits a one-way property, and may 
serve as a cryptographic signature protecting the correctness of 
its encoded value. Therefor, the Value Accepting Device 2 having 
available both the old and new aggregate values and their respect- 
ive encodings, after receiving the proving message 14 at the end of 

35 the value transfer protocol, can convince itself of the correctness 
of the received message and in particular of the correctness of the 
computed new aggregate value encoding before storing the new value 
and encoding in its memory for use in a subsequent value transfer 



WO 97/458 17 



1* 



PCT/NL96/00211 



protocol. 

The encoding algorithm is based on repetitive application of 
a cryptographic one-way computation to an initial random number; 
algorithms for such computations are known to those skilled in the 
art and require code words of sufficient length depending on the 
particular one-way algorithm, e.g. for a one-way function based on 
the well known DES algorithm, the code words are (A bits. A theor- 
etical logic number system has been conceived by the mathematician 
Guiseppe Peano (1858-1932) in which the fundamental set of natural 
numbers is defined by one first specific element, to be called 
"zero," and a mathematical function (homomorphism) that adds one to 
any natural number; in a similar fashion, the repetitive applica- 
tion of the one-way function to an initial random number can be 
seen as representing a monotonously incrementing counter starting 
wit u . the value 0. In this specific counter the integral values it 
car. assume are encoded with the zero value encoded by the initial 
ran Jam number. Due to the one-way characteristics of the 
cry- -ographic function, a counter constructed with it is also uni- 
di: -tional: that is. it is computationally infeasible, starting 
wi^. on encoding given for a least most value, to compute an encod- 
ing of any value less than that encoded in the given encoding. 

The uni-directional property of cryptographic one-way count- 
ing is the foundation of the cryptographic protection of the aggre- 
ge i value in the embodiment of the invention according to Figure 
3. Each aggregate value is encoded in a one-way counter (not 
e> -cssly shown) such that it is computationally infeasible for the 
Vf e Accepting Device 2 to compute an encoding for any value in 
e>- ';s of the current aggregate value while it is possible, by 
aj yir.g the publicly known cryptographic one-way function, to 
Co- iie the encodings of any value less than the current value. The 
or way counter (not shown) is (or may be) stored in the Value 
A opting Device memory 53 with its maximum value only as the en- 
cr ,ng of the present aggregate value- In particular it is possible 
t -ompute the difference in value between any of these encodings. 
T efore, for any encoding received from the Value Carrying Device 
1 ; proving message lU in a value transfer protocol the Value 
A pting Device 2 can determine whether the encoding is compatible 
w * the amount transferred and the previous and current aggregate 
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ve^ies by computing the difference in value between the encodings. 
Th^ 5 encoding according to the current invention may further use a 
ma-vxujn for an encoded value, the maximum being encoded by the 
rnr.doo number selected as the zero starting value in the 
5 cryptographic one-way counter. Then, an encoding is only valid if 
i- represents a value of 0 or more but less than the maximum value 
si '; for the encoding. As the encoding is a numeric value of some 
sufficiently large size, e.g. 6** bits, a very large number of dis- 
j\j :c collections of encodings for the range of counter values is 

10 pc -ible; the random selection of the number for the encoding of 
t! maximum value may provide each Value .Accepting Device 2 with a 
a- ::;ue sequence of encodings of its aggregate value. 

To obtain security in the aggregate value encoding, the en- 
cr J fng of the maximum value, the initial random number in the one- 

15 w counter, is to be kept confidential exclusively to the Value 
C -ying Device 1 and possibly to the Value Guaranteeing Institu- 
te For instance, this encoding may be contained in a confiden- 
t: ' : ty cryptogram stored in the Value Accepting Device 2 which is 
c .nicated to the Value Carrying Device 1 as part of the claiming 

20 m- ;age 13, said cryptogram for instance being computed by 8 secret 
k-y stored in the Value Carrying Device 1. The integrity of the 
s -zing value of the one-way counter and the associated maximum 
f the encoded value should, preferably, be warranted by an addi- 
t"' 1 cryptographic signature. 

25 The encoding of the aggregate value in the Value Accepting 

D :e 2 may also serve to protect the acquiring protocol 10 in 
t the Value Accepting Device 2 provides the Acquirer 3 with the 
e :ding of the current value and with the encoding of the value 
t *; had been submitted in a previous acquiring protocol; payment 

30 c he based on computing the difference in value between the two 
gi\ \ encodings provided the previous encoding had been registered 
wi* the Acquirer 3 as the very latest encoding received. The very 
f: t encoding of a counter, representing a zero value, may be 
a j red by the Acquirer 3 under any of the cryptographic protec- 

35 t i techniques available to those skilled in the art. Alternative- 
1 . such first zero valued encoding and its associated 
c graphically concealed maximum encoding may have been obtained 
b \a Value Accepting Device 2 in an initial cryptographically 
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authenticated communication from the Acquirer 3, where the Acquirer 
3 has retained said first encoding and concealed maximum under the 
contrc: of the Value Guaranteeing Institution 14. 

An alternative embodiment of the value transfer protocol with 
5 protecting encoding according to the current invention is described 
in F' re 3 with the starting value of the one-way counter computed 
by a. encryption algorithm with a random secret key referred to as 
VG1 T 'lue Guaranteeing Institution) key 42 of data stored in the 
Value ccepting Device 2 and transmitted in the claiming message. 
10 Data : :luded in Che encryption may include in addition to a random 
numbe: referred to as encoding seed 39 and a number indicating the 
oaxirr' . encoding value 44 a terminal ID 40 as to uniquely identify 
the lue Accepting Device and possibly other data 41. Performing 
said :yptographic algorithm serves possibly with an additional 
15 app- -ion of a one-way function and adjustment of the bit length 
a c: national method to select the random number that is to serve 
as t maximum encoding of the aggregate value which by nature of 
its mutation within the confinement of the tamper resistance of 
the ue Carrying Device 1 is kept confidential for the Value 
20 Acc<- ng Device 2 until such time it is as a result of a value 
tra r protocol communicated to it. In that instance, the 
enc of the aggregate value has become exhausted and can no 

Ion be used in further value transfers. A new instance of the 
enc ; must be created, either by requesting it from the Value 
25 Car ; Device 1, for instance in a specific preamble to the value 
tr> : r protocol, or from the Acquirer 3- 

n consequence of the restricted encoding value, the Value 
Acr ng Device 2 will need to have available one or more differ- 
ed ;odings of values, in which the encodings have individually 
30 or l ined sufficient coding space to encode any amount that might 
be c nidered for transfer. By nature of the randomness of the 
mex* value encoding and the relative large number of bits used 
in . . words, a practically unlimited number of distinct instances 
of encoding can be found; each instance of the encoding unique- 
35 ly characterised by any of its restricted number of valid 

cc : >rds. In this case, the value aggregated in the Value Accept- 
in,, /ice 2 is represented by the sum of the values encoded in the 
incL iual cryptographic one-way counters contained in the Value 
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Acc^r ting Device memory 53. If the amount to be transferred is more 
thr- r.he coding of any of the counters would allow for. the trans- 
fer rotocol can be repeated with additional instances of the en- 
co In a more efficient embodiment the individual encoding 

5 in. nces of counters are associated with a weighing factor, such 
thr:.. the total aggregate value is represented by the weighted sum 
of t/.e individual counters. The weighing factor needs cryptographic 
protection similar to that for the maximum count of the associated 
or -y counter such as can be provided by inclusion of a number 
10 rr renting the weighing factor in a confidentiality cryptogram or 
p: led by including it as part of the additional encoding data as 
ir to the cryptogram that serves to compute the maximum value 
e: -iing. 

15 
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Claims 



1. A value transfer system comprising at least one Value Carry- 
ing Device (1) and at least one Value Accepting Device (2) being 
able to communicate with each other, the at least one Value Accept- 
ing Dovice (2) comprising a Value Accepting Device memory (53) for 
storing at least an aggregate value (28) of previous accepted 
values and being arranged to transfer a claiming message (13) rep- 
resenting at least a transaction value (20) to said at least one 
Value Carrying Device (1). the at least one Value Carrying Device 
(1) comprising a Value Carrying Device memory (52) for storing at 
least a balance value (7) and being arranged to transfer a proving 
message [Ik) to said at least one Value Accepting Device (2) t 
char? :erised in that 

the at least one Value Accepting Device (2) is arranged to 
further include into the claiming message (13) a previous aggregate 
value (21) and a corresponding previously computed proving crypto- 
gram (22); 

ihe at least one Value Carrying Device (1) is arranged to 
conr"-.s and include into the proving message (1*0 at least one 
trai -Hon proving cryptogram (35). computed on the basis of the 
prev : s aggregate value (21), the corresponding previously com- 
pute: proving cryptogram (22) and the transaction value (20), and 

the at least one Value Carrying Device (1) is arranged to 
compete the at least one transaction proving cryptogram (35) only 
if it has established the correctness of the received previous 
agr"--":te value (21) by using said corresponding previously corn- 
put cryptogram (22) and after it has reduced the balance value 
(7) -h the transaction value (20). 

2. A value transfer system according to claim 1 further 
characterised in that it comprises a plurality of Value Carrying 
De- -ps (1) which are partitioned into different Value Carrying 
Dev. - sets by classifying the Value Carrying Devices (1) in 
acr -ir.ee with distinct and possibly incompatible ways the at 
le re transaction proving cryptogram (35) is computed and in 
th... .e Value Accepting Device memory (53) is arranged to store 
val transfer transaction data sets (26a, 26b f ...) each corre- 
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spending to one of said Value Carrying Device sets and including a 
serarate aggregate value (28) with a separate associated proving 
cryptogram (27) to the effect that the at least one Value Accepting 
Device (2), upon recognising a Value Carrying Device (1) as per- 
5 taining to one of said Value Carrying Device sets, transmits to 
B9id Value Carrying Device in the claiming message (13) the separ- 
ate aggregate value and separate associated proving cryptogram 
pertaining to the recognised one of said Value Carrying Device 
se* s. 

10 

3. A value transfer system according to claim 1 further 
characterised in that the at least one Value Accepting Device (2) 
is arranged to include into the claiming message (13): 

a number indicating a maximum aggregate value said at least 

15 one Value Accepting Device (2) is configured to operate with and 

a maximum aggregate value cryptogram to proof the correctness 
of the maximum aggregate value, said maximum aggregate value 
cryptogram possibly being the same cryptogram as the previously 
c ^puted proving cryptogram (22), 

20 ar 1 in that the at least one Value Carrying Device (1) is arranged 
to complete a value transfer only if it has proved the correctness 
or" the maximum aggregate value permitted for the at least one Value 
Accepting Device (2) by using said maximum aggregate value crypto- 
g-^m and after it has established that a new aggregate value (3*0 

25 t; at would result from adding the transaction value (20) to the 
previous aggregate value (21) is less than said maximum aggregate 
v lue. 



k. A value transfer system according to claim 1 further 
30 characterised in that the at least one Value Accepting Device (2) 
is arranged to include into the claiming message (13): 

a transaction value number indicating a maximum transaction 
vp. lue said at least one Value Accepting Device (2) is configured to 
onerate with and 

35 a maximum transaction value cryptogram to proof the correct- 

ness of the maximum transaction value, said maximum transaction 
v-lue cryptogram possibly being the same cryptogram as the previ- 
ously computed proving cryptogram (22), 
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and in that the at least one Value Carrying Device (1) is arranged 
to complete a value transfer only if it has proved the correctness 
of the maximum transaction value permitted for the at least one 
Value Accepting Device (2) by using said maximum transaction value 
cryptogram and after it has established that the transaction value 
(20) is less than said maximum transaction value. 

5 # A value transfer system according to claim 1 further 
characterised in that the at least one Value Accepting Device (2) 
is arranged to include into the claiming message (13): 

a transaction number indicating a maximum number of trans- 
actions said at least one Value Accepting Device (2) is 
configured to operate with, 

a maximum transaction number cryptogram to proof correctness 
of said maximum number of transactions, said maximum transac- 
tion number cryptogram being possibly the same cryptogram as 
the previously computed proving cryptogram (22), 
a count of the number of transactions performed at said at 
least one Value Accepting Device (2), and 

a count cryptogram to proof correctness of said count, said 
count cryptogram being possibly the same cryptogram as the 
previously computed proving cryptogram (22) , 
and in that the at least one Value Carrying Device (1) is arranged 
to complete a value transfer only if it has proved the correctness 
of the maximum number of transactions permitted for the at least 
one Value Accepting Device (1) and the count of the number of 
transactions performed, respectively, by using said maximum trans- 
action number cryptogram and count cryptogram, respectively, and if 
it has established that said count is less than said maximum number 
of transactions and 

in that when completing the value transfer the at least one Value 
Carrying Device (1) computes a new transaction count cryptogram for 
the number of transactions incremented by one and transfers said 
transaction count cryptogram to the Value Accepting Device as part 
of the proving message (14). 



6. A Value Carrying Device (1) arranged to communicate with at 
least one Value Accepting Device (2). said Value Carrying Device 
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(1) comprising a Value Carrying Device memory (52) for storing at 
least a balance value (7) and being arranged to receive a claiming 
message (13) representing at least a transaction value (20) and to 
transfer a proving message (14) to said l at least one Value Accept- 

5 ing Device (2), characterised in that the Value Carrying Device 
(10) is arranged to 

receive through the claiming message (13) a previous aggre- 
gate value (21) and a corresponding previously computed proving 
cryptogram (22); 

10 compute and include into the proving message (14) at least 

one transaction proving cryptogram (35). computed on the basis of 
the previous aggregate value (21) t the corresponding previously 
computed proving cryptogram (22) and the transaction value (20) t 
and 

15 compute the at least one transaction proving cryptogram (35) 

only if it has established the correctness of the received previous 
aggregate value (21) by using said corresponding previously com* 
puted cryptogram (22) and after it has reduced the balance value 
(7) with the transaction value (20). 

20 

7. A Value Accepting Device (2) arranged to communicate with at 
least one Value Carrying Device (i), said Value Accepting Device 

(2) comprising a Value Accepting Device memory (53) for storing at 
least an aggregate value (28) of previous accepted values and being 

25 arranged to transfer a claiming message (13) representing at least 
a transaction value (20) to said at least one Value Carrying Device 
(1) and to receive a proving message (1*0 from said at least one 
Value Carrying Device (1), characterised in that 

said Value Accepting Device (2) is arranged to further 

30 include into the claiming message (13) a previous aggregate value 

(21) and a corresponding previously computed proving cryptogram 

(22) in order to allow the at least one Value Carrying Device (1) 
to compute and include into the proving message (14) at least one 
transaction proving cryptogram (35). computed on the basis of the 

35 previous aggregate value (21) t the corresponding previously com- 
puted proving cryptogram (22) and the transaction value (20), and 
to replace in the Value Accepting Device memory (53) after checking 
at least one proving cryptogram the new aggregate value and at 
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least one associated proving cryptogram. 

8. A method of cryptographic ally protecting a communication or a 
sequence of communications between at least one transmitter and at 
least one receiver, and of establishing a monotonic order in which 
messages are communicated or a strict monotonic change of numeric 
values contained in communicated messages characterised in that 
said communications include at least one number representing said 
monotonic order or representing said numeric values and cryptograms 
computed from the at least one number in an encoding using a 
" Peano" number scheme as follows: 

choosing a discrete maximum value for the encoding; 
selecting a cryptographic one-way function that maps starting 
numbers consisting of a predetermined number of bits to 
object numbers consisting of the same predetermined number of 
bits, a functional application to a number being defined as 
"successor operation" in the Peano number scheme; 
selecting a random number consisting of said predetermined 
number of bits as zero element in the Peano number scheme; 
determining a value encoded in a number as the value of a 
Peano number determined by repeated functional applications 
of the one-way function starting with the zero element until 
a result of the functional application of the one-way func- 
tion equals a code number to be decoded, wherein a code word 
is found not to be a valid encoding if none of the results of 
applying repetitively for a number of times equal to the 
chosen discrete maximum value the cryptographic one-way func- 
tion starting with the selected zero element equals the code 
word; 

and in that the at least one transmitter is arranged to select said 
random number while keeping said random number confidential in 
order to warrant unconditional monotomicity of the message order or 
of the numeric values communicated. 

9. Method according to claim 8 characterized in that the random 
number selected as zero element is kept concealed for the at least 
one receiver of said communications by including it in a cryptogram 
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of confidentiality, which may be included in messages exchanged 
between the at least one transmitter and the at least one receiver. 

10. Method according to claim 8 characterized in that the random 
5 number selected as zero element is kept concealed for the receiver 

of said communications by computing said random number from an 
additional random number in conjunction either with additional 
data, such as the number that represents the chosen maximum value 
of the encoding, or that identifies the receiver of said comaunica- 
10 tions or with any data that pertains to a particular series of said 
communications using a secret cryptographic computation, e.g. an 
encryption with a secret key. 

11. A value transfer system comprising at least one Value Carry- 
15 ing Device (1) and at least one Value Accepting Device (2) being 

able to communicate with each other, the at least one Value Accept- 
ing Device (2) comprising a Value Accepting Device memory (53) for 
storing at least an aggregate value (28) of previous accepted 
values and being arranged to transfer a claiming message (13) rep- 

20 resenting at least a transaction value (20) to said at least one 
Value Carrying Device (1), the at least one Value Carrying Device 
(1) comprising a Value Carrying Device memory (52) for storing at 
least a balance value (7) and being arranged to transfer a proving 
message (14) to said at least one Value Accepting Device (2), 

25 characterised in that the Value Accepting Device memory (52) stores 
both said aggregate value (28) and a cryptographically encoded 
aggregate value computed by using a "Peano" number scheme as fol- 
lows : 



choosing a discrete maximum value for the encoding; 



30 



selecting a cryptographic one-way function that maps starting 
numbers consisting of a predetermined number of bits to 
object numbers consisting of the same predetermined number of 
bits, a functional application to a number being defined as 
* successor operation" in the Peano number scheme; 



35 



selecting a random number consisting of said predetermined 
number of bits as zero element in the Peano number scheme; 



determining a value encoded in a number by subtracting from 
said discrete maximum value the value of a Peano number 
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determined by repeated functional applications of the one-way 
function starting with the zero element until a result of the 
functional application of the one-way function equals a code 
number to be decoded, wherein a code word is found not to be 
a valid encoding if none of the results of applying repeti- 
tively for a number of times equal to the chosen discrete 
maximum value the cryptographic one-way function starting 
with the selected zero element equals the code word; 
and in that the at least one Value Accepting Device (2) is arranged 
to include into the claiming message (13) the following data: 
said maximum value (W), 

a zero element cryptogram concealing said zero element in the 
Peano number scheme, 

a correctness cryptogram to proof correctness of said dis- 
crete maximum value and said zero element, and 
an encoded aggregate value (38), 

and in that the at least one Value Carrying Device (1) is arranged 

to complete a value transfer only 

if it has proved the correctness of said discrete maximum 
value and said zero element by using the correctness crypto- 
gram, 

if it determines that, based on said discrete maximum value 
and said zero element, the encoded aggregate value (38) is 
validly encoded, and 

after it has reduced the balance value (7) with the trans- 
action value (20) 
and in that when completing the value transfer the at least one 
Value Carrying Device is arranged to compute an encoded new aggre- 
gate value (43) and to include the latter into the proving message 
(11). 

12, A value transfer system according to claim 11 characterized 
in that the at least one Value Carrying Device (1) is arranged, 
when completing the value transfer, to compute a further correct- 
ness cryptogram for proving the correctness of any additional data 
in the claiming message (13) and, optionally, for protecting said 
discrete maximum value and said zero element. 
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13. A value transfer system comprising at least one Value Carry- 
ing Device (1) and at least one Value Accepting Device (2) being 
able to communicate with each other, the at least one Value Accept- 
ing Device (2) comprising a Value Accepting Device memory (53) for 
5 storing at least an aggregate value (28) of previous accepted 
values and being arranged to transfer a claiming message (13) rep- 
resenting at least a transaction value (20) to said at least one 
Value Carrying Device (1), the at least one Value Carrying Device 
(1) comprising a Value Carrying Device memory (52) for storing at 

10 least a balance value (7) and being arranged to transfer a proving 
message (1*0 to said at least one Value Accepting Device (2), 
characterised in that the Value Accepting Device memory (52) stores 
both said aggregate value (28) and a cryptographically encoded 
aggregate value computed by using a m Peeno m number scheme as fol- 

15 lows : 

choosing a discrete maximum value for the encoding; 
selecting a cryptographic one-way function that maps starting 
numbers consisting of a predetermined number of bits to 
object numbers consisting of the same predetermined number of 

20 bits, a functional application to a number being defined as 

"successor operation 0 in the Peano number scheme; 
selecting an encoding seed and appropriate cryptographic 
algorithm to derive a randomised number consisting of said 
predetermined number of bits for use as zero element in the 

25 Peano number scheme; 

determining a value encoded in a number by subtracting from 
said discrete maximum value the value of a Peano number 
determined by repeated functional applications of the one-way 
function starting with the zero element until a result of the 

30 functional application of the one-way function equals a code 

number to be decoded, wherein a code word is found not to be 
a valid encoding if none of the results of applying repeti- 
tively for a number of times equal to the chosen discrete 
maximum value the cryptographic one-way function starting 

35 with the selected zero element equals the code word; 

and in that the at least one Value Accepting Device (1) is arranged 
to include into the claiming message (13) the following data: 
said maximum value. 
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an encoding seed (39), 

possible additional encoding data (41) 

an encoded aggregate value (38). 
and in that the at least one Value Carrying Device (1) is arranged 
to perform the selected derivation algorithm in such fashion that 
the derived zero element is concealed and to complete a value 
transfer only 

if in using the derivation algorithm it computes the zero 
element from at least the encoding seed and determines said 
previous aggregate value as being validly encoded based on 
said maximum value and said derived zero element, and 
after it has reduced the balance value (7) with the transac- 
tion value (20) , 

and in that when completing the value transfer the at least one 
Value Carrying Device is arranged to compute an encoded new aggre- 
gate value (43) and to include the latter into the proving message 
(14). 

14. A value transfer system according to any of the claims 11 or 
13 further characterised in that the at least one Value Accepting 
Device (2) encodes said aggregate value (28) in a set of one or 
more encoded sub-values using differently computed Peano number 
schemes and associated weighing factors, the encoded aggregate 
value being computed by the weighted sum of the encoded sub-values, 
such that said encoded sub-values are proportional to the associ- 
ated weighing factor, said weighing factors optionally being pro- 
tected either through said correctness cryptogram or said zero 
element derivation. 

15. A value transfer system according to any of the claims 11 or 
13 further characterised in that it comprises a plurality of Value 
Carrying Devices (1) which are partitioned into different Value 
Carrying Device sets by classifying the Value Carrying Devices (1) 
in accordance with distinct and possibly incompatible ways the 
cryptographic one-way function, said zero element cryptogram and 
said correctness cryptogram are computed or said zero element deri- 
vation algorithm is performed and in that the Value Accepting 
Device memory (53) is arranged to store, corresponding to each of 
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said Value Carrying Device sets, a separate aggregate value (28), a 
separate encoded aggregate value (30) and possibly a separate asso- 
ciated proving cryptogram (27) to the effect that the at least one 
Value Accepting Device (2). upon recognising a Value Carrying 
5 Device (1) as pertaining to one of said Value Carrying Device sets, 
transmits to said Value Carrying Device in the claiming message 
(13) the separate aggregate value and associated data pertaining to 
the recognised one of said Value Carrying Device sets. 



10 16. A value transfer system according to any of the claims 11 
through 15 further characterised in that the at least one Value 
Carrying Device memory (52) additionally contains an incremental 
amount number and in that the at least one Value Accepting Device 
memory (53) contains a plurality of aggregate values (28) with 

15 associated encoded aggregate values (30) , associated encoding seeds 
(31) and associated additional encoding data (32) and in that said 
system carries out the value transfer in one or more distinct 
steps, comprising a preparatory value transfer step with a prepara- 
tory claiming message (13) and preparatory proving message (1*1) 

20 such that the preparatory claiming message additionally contains 
data to define at least partially any of the transaction values 
(20) to be transferred in subsequent steps, followed by a number of 
related subsequent incremental value transfer steps with claiming 
messages selected from the following options: 

25 - a claiming message containing only a last computed encoded 
aggregate value; 

a claiming message containing only an encoding seed associ- 
ated to said last computed encoded aggregate value, and 

a claiming message containing only a unique reference to said 

30 last computed encoded aggregate value, 

each of said incremental value transfer steps including a proving 
message containing the encoded new aggregate value (43) computed 
with a transaction value (20) either as received in a previous 
incremental claiming message or as derived from additional data 

35 received in the preparatory claiming message and stored in the at 
least one Value Carrying Device (1), said incremental value trans- 
fer steps possibly taking place with one or more intervening value 
transfers from the at least one Value Carrying Device (1) with a 
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plurality of Value Accepting Devices including the Value Accepting 
Device which transmitted the preparatory claiming message such that 
the latter Value Accepting Device keeps for exclusive use in the 
incremental value transfer steps the encoded aggregate value and 
5 associated data selected from the stored plurality of aggregate 
values (28) with associated encoded aggregate values (30), associ- 
ated encoding seeds (31) and associated additional encoding data 
(32) that had been selected for use in the preparatory value trans- 
fer step. 

10 

17. A value transfer system according to claim 11 further 
characterised in that the at least Value Accepting Device (2) is 
arranged to include into the claiming message a maximum transaction 
value said at least one Value Accepting Device (2) is configured to 

15 operate with, wherein the integrity of said maximum transaction 
value is protected by said correctness cryptogram and in that the 
at least one Value Carrying Device (1) is arranged to complete a 
value transfer only if it proves the correctness of the maximum 
transaction value permitted for the Value Accepting Device by ver- 

20 ifying the last encoded aggregate value and if the transaction 
value (20) is less than said maximum transaction value. 



18. A Value Accepting Device (1) arranged to communicate with at 
least one Value Carrying Device (2) and comprising a Value Accept- 
25 ing Device memory (53) for storing at least an aggregate value (28) 
of previous accepted values and being arranged to transfer a claim- 
ing message (13) representing at least a transaction value (20) to 
said at least one Value Carrying Device (1), the Value Accepting 
Device (2) being arranged to receive a proving message (14) from 
30 said at least one Value Carrying Device (1), characterised in that 
the Value Accepting Device memory (52) stores both said aggregate 
value (28) and a cryptographically encoded aggregate value computed 
by using a "Peano" number scheme as follows: 

choosing a discrete maximum value for the encoding; 
35 - selecting a cryptographic one-way function that maps starting 
numbers consisting of a predetermined number of bits to 
object numbers consisting of the same predetermined number of 
bits, a functional application to a number being defined as 
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•successor operation" in the Peano number scheme; 
selecting a random number consisting of said predetermined 
number of bits as zero element in the Peano number scheme; 
determining a value encoded in a number by subtracting from 
5 said discrete maximum value the value of a Peano number 

determined by repeated functional applications of the one-way 
function starting with the zero element until a result of the 
functional application of the one-way function equals a code 
number to be decoded, wherein a code word is found not to be 

10 a valid encoding if none of the results of applying repeti- 

tively for a number of times equal to the chosen discrete 
maximum value the cryptographic one-way function starting 
with the selected zero element equals the code word; 
and in that the Value Accepting Device (2) is arranged to include 

15 into the claiming message (13) the following data: 
said maximum value (44), 

a zero element cryptogram concealing said zero element in the 
Peano number scheme, 

a correctness cryptogram to proof correctness of said dis- 
20 crete maximum value and said zero element, and 

an encoded aggregate value (38). 



19. A Value Carrying Device (1) arranged to communicate with at 
least one Value Accepting Device (2) as claimed in claim 18 and 

25 arranged to receive a claiming message (13) representing at least a 
transaction value (20) from said at least one Value Accepting 
Device (2), the Value Carrying Device (1) comprising a Value Carry- 
ing Device memory (52) for storing at least a balance value (7) and 
being arranged to transfer a proving message (14) to said at least 

30 one Value Accepting Device (2), characterised in that Value Carry- 
ing Device (1) is arranged to receive the following data in the 
claiming message (13): 

a maximum encoding value (44) t 

a zero element cryptogram concealing said zero element in the 
35 Peano number scheme, 

a correctness cryptogram to proof correctness of said dis- 
crete maximum value and said zero element, and 
an encoded aggregate value (38), 
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and in that the Value Carrying Device (1) is arranged to complete a 

value transfer only 

if it has proved the correctness of said discrete maximum 
value and said zero element by using the correctness crypto- 
gram, 

if it determines that, based on said discrete maximum value 
and said zero element, the encoded aggregate value (38) is 
validly encoded, and 

after it has reduced the balance value (7) with the trans- 
action value (20) 

and in that when completing the value transfer the Value Carrying 
Device is arranged to compute an encoded new aggregate value (*J3) 
and to include the latter into the proving message (14). 

20. A Value Accepting Device (1) arranged to communicate with at 
least one Value Carrying Device (2) and comprising a Value Accept- 
ing Device memory (53) for storing at least an aggregate value (28) 
of previous accepted values and being arranged to provide a claim- 
ing message (13) representing at least a transaction value (20) to 
said at least one Value Carrying Device (1), the Value Accepting 
Device (2) being arranged to receive a proving message (14) from 
said at least one Value Carrying Device (1), characterised in that 
the Value Accepting Device memory (52) stores both said aggregate 
value (28) and a cryptographically encoded aggregate value computed 
by using a "Peano" number scheme as follows: 

choosing a discrete maximum value for the encoding; 
selecting a cryptographic one-way function that maps starting 
numbers consisting of a predetermined number of bits to 
object numbers consisting of the same predetermined number of 
bits, a functional application to a number being defined as 
"successor operation" in the Peano number scheme; 
selecting an encoding seed and appropriate cryptographic 
algorithm to derive a randomised number consisting of said 
predetermined number of bits for use as zero element in the 
Peano number scheme; 

determining a value encoded in a number by subtracting from 
said discrete maximum value the value of a Peano number 
determined by repeated functional applications of the one-way 
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function starting with the zero element until a result of the 
functional application of the one-way function equals a code 
number to be decoded, wherein a code word is found not to be 
a valid encoding if none of the results of applying repeti- 
5 tively for a number of times equal to the chosen discrete 

maximum value the cryptographic one-way function starting 
with the selected zero element equals the code word; 

and in that the Value Accepting Device (2) is arranged to include 

into the claiming message (13) the following data: 
10 - said maximum value (4*0, 
an encoding seed (39) i 
possible additional encoding data (4l) 
an encoded aggregate value (38). 

15 21. A Value Carrying Device (1) arranged to communicate with at 
least one Value Accepting Device (2) as claimed in claim 20 and 
arranged to receive a claiming message (13) representing at least a 
transaction value (20) from said at least one Value Accepting 
Device (2), the Value Carrying Device (1) comprising a Value Carry- 
20 ing Device memory (52) for storing at least a balance value (7) and 
being arranged to transfer a proving message (1*0 to said at least 
one Value Accepting Device (2), characterised in that Value Carry- 
ing Device (1) is arranged to receive the following data in the 
claiming message (13): 
25 a maximum encoding value (44) f 

an encoding seed (39). 
possible additional encoding data (4l), 
an encoded aggregate value (38), 
and in that the Value Carrying Device (1) is arranged to complete a 
30 value transfer only 

if, in using the derivation algorithm it computes the zero 
element from at least the encoding seed and determines said 
previous aggregate value as being validly encoded based on 
said maximum value and said derived zero element, and 
35 " after it has reduced the balance value (7) with the transac- 
tion value (20) , 

and in that when completing the value transfer the at least one 
Value Carrying Device is arranged to compute an encoded new aggre- 
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gate value (43) and to include the latter into the proving message 
(14). 

22. A value transfer system according to any of the claims 1 
through 5 and 11 through 17 further characterised in that the at 
least one Value Accepting Device (2) is implemented as a device 
with a memory only, for instance, a magnetic-strip card or memory- 
chip card. 

23. A value transfer system according to any of the claims 1 
through 5 and 11 through 18 further characterised in that the at 
least one Value Carrying Device (1) is implemented as a smart card. 

24. A value transfer system according to any of the claims 1 
through 7 and 11 through 17 further characterised in that the at 
least one Value Carrying Device (1) and the at least one Value 
Accepting Device (2) are implemented together in an electronic 
device commonly known as a "wallet" and in that the wallet com- 
prises a tamper resistant component carrying out functions of the 
at least one Value Carrying Device (1) arranged to additionally 
monitor and verify a value transfer from a further Value Carrying 
Device to the at least one Value Accepting Device (2) and to 
increment the balance of said at least one Value Carrying Device 
(1) upon a successful completion of the monitored and verified 
value transfer. 

25. A value transfer system according to any of the claims 1 to 7 
further characterised in that the at least one Value Accepting 
Device is arranged to additionally use said at least one transac- 
tion proving algorithm (35) as a shared basis for a cryptographic 
key in a concealment algorithm to be performed on units of elec- 
tronic information transmitted from the at least one Value Accept- 
ing Device to the at least one Value Carrying Device. 

26. A value transfer system according to any of the claims 11 
through 17 further characterised in that the at least one Value 
Accepting Device is arranged to additionally use said encoded new 
aggregate value (43) as a shared basis for a cryptographic key in a 
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concealment algorithm to be performed on units of electronic in- 
formation transmitted from the at least one Value Accepting Device 
to the at least one Value Carrying Device. 

5 27. A value transfer system according to any of the preceding 
claims 1 through 17 further characterised in that the Value Carry- 
ing Device memory (52) comprises said balance (7) represented by a 
first and a second number, said first number indicating a first 
total value of available electronic money as received from a Value 
10 Guaranteeing Institution (4), said second number indicating a 
second total value of electronic money as transfered to any Value 
Accepting Device (2), such that the balance (7) is the numeric 
difference between said first number and said second number. 



15 28- A value transfer system according to any of the claims 1 
through 17 further characterised in that it comprises an at least 
one first and an at least one second Value Carrying Device, the 
Value Carrying Device memory (52) of said first Value Carrying 
Device comprising the balance (7) represented by a first and a 

20 second number, said first number indicating a first total value of 
available electronic money as received from a Value Guaranteeing 
Institution (4), said second number indicating a second total value 
of electronic money as transferred to any Value Accepting Device 
(2), such that the balance (7) is the numeric difference between 

25 said first number and said second number and said first Value 
Carrying Device being also arranged to act as a Value Accepting 
Device storing in its Value Carrying Device memory (52) a 
previously computed proving cryptogram (22) associated with a 
previous value transfer, said second Value Carrying Device arranged 

30 to perform a value transfer protocol with said first Value Carrying 
Device and that in said value transfer protocol said first Value 
Carrying Device includes the claiming message (13) as previous 
aggregate value (21). the value of a first number representing the 
balance of said first Value Carrying Device. 
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